December 2, 2021
Social engineering attacks are on the rise. CISOs need to train and empower employees to help stop them.
As each new year begins, CISOs face several typical challenges. Everything from vendor management and figuring out a budget to keeping track of security controls implementation and getting C-suite executive buy-in for additional controls. Going into 2022, one particular challenge stands out to Mindsight Cybersecurity Practice Lead Mishaal Khan: Better preparing company leaders and their employees for social engineering attacks.
Since the COVID-19 pandemic began in early 2020 and businesses quickly pivoted to full-time remote work as a result, Khan says, incidents of social engineering — essentially, leveraging human psychology to trick people via email, phone, websites or video into divulging sensitive company information — are on the rise.
Indeed, the FBI’s Internet Crime Commission (IC3) reported a “record increase” in cybercrime last year, with 791,790 complaints of suspected internet crime. That’s over 300,000 more complaints than in 2019. Total reported losses exceeded $4.2 billion. According to the Identity Theft Resource Center, 2021 has so far been even worse.
Considering that most cyber-attacks involve some degree of social engineering to, as CISOmag.com wrote earlier this year, “exploit human curiosity, desire, anxiety, eagerness and urgency,” Khan’s concern is well-founded.
But there’s a solution, he says.
“It’s really more about refocusing attention on training or retraining people than it is about enhancing technology of any kind.”
How has remote work made social engineering more effective and widespread?
It’s elevated now because interpersonal communication has gone down. Small talk has gone away. People knowing each other by name, by voice, by face is slowly going away. And that is giving the bad guys an advantage. Now, phishing attacks are more believable. Or impersonating someone’s voice and saying, “I’m calling from IT” or whatever other department. And people who are new employees will have never met them or heard their voices to know if they’re real or not.
In educating people about social engineering attacks, is it beneficial to put them through real-life scenarios rather than just lecturing on the subject?
Some companies will send their employees fake phishing emails to see what gets through. If they’re successful, the employee is notified with some sort of on-screen pop-up. But that’s just a baseline level of awareness. They’re not being put through actual disaster scenarios or anything. That higher-level incident-response training in a controlled environment is probably only happening in IT, but a customized version would be beneficial for all employees. For companies with less than 100 employees, I’ve done live security presentations with no more than 15 or 20 people in the room. I’ve also done live social engineering training where I’ve sent them phishing emails and asked them to click on it to see what warning pops up on the projection screen. I also click on ransomware in front of them to show them how it works. For many of them, this is the first time they’ve seen the destructive nature of just one click. And they remember it because they’re involved in the process rather than just reading something or listening to someone. They’re part of an experience. There’s a social engineering element, too.
During the break after the first session, I start talking to people in a relaxed way about where they live, what their kids’ and pets’ names are, where they bank. When the break is done, I reveal to them how much personal information I was able to obtain that could be used for social engineering purposes. I apologize for betraying their trust, but it’s done to show them how easy it is to get information that could help criminals breach a company’s security system without hacking it. It’s a slow process and one that’s not very scalable, but it works. And then people pass along their new knowledge to kids, spouses, friends. So you’re training them not just for work, but for life.
Training is important, but social engineering is rooted in human psychology rather than anything technological. How do you get people to change the way they think about it — and security in general?
Organizations need to cultivate a culture of security where security controls are not considered annoyances or hindrances to work. Instead, they’re considered helpful contributions. And it’s the company’s responsibility to develop a program that makes employees feel more positive and empowered about contributing. That could mean getting rewarded in some way with recognition or possibly even financially for something as small as forwarding a phishing email to the security team. They need to know that their contribution, no matter the size, is having a positive impact on the entire organization. A third-party company like Mindsight can help organizations to create and maintain that culture.
Culture trickles down from the top. Should CISOs be working more closely with CEOs to make sure they’re on the same page about social engineering specifically and security in general?
They have to. It can’t come from the bottom up, because leaders are the ones who are rewarding this behavior. If they don’t care, neither will their employees. That’s happening more now because lots of the newer executives being promoted come from technology backgrounds and they’re more accustomed to technology in general. An organization that wants to be proactive needs to have sessions around security and social engineering. They need to empower employees and make them feel part of the security organization. If every single person is aware of and motivated to report threats, a hacker’s job becomes much more difficult.
Mindsight, a Chicago IT services provider, is an extension of your team. Our culture is built on transparency and trust, and our team is made up of extraordinary people – the kinds of people you would hire. We have one of the largest expert-level engineering teams delivering the full spectrum of IT services and solutions, from cloud to infrastructure, collaboration to contact center. Our customers rely on our thought leadership, responsiveness, and dedication to solving their toughest technology challenges.
About The Expert
Mishaal Khan, Mindsight’s Security Solutions Architect, has been breaking and – thankfully – rebuilding computers for as long as he can remember. As a Certified Ethical Hacker (CEH), CCIE R&S, Security Practitioner, and Certified Social Engineer Pentester, Khan offers insight into the often-murky world of cybersecurity. Khan brings a multinational perspective to the business security posture, and he has consulted with SMBs, schools, government institutions, and global enterprises, seeking to spread awareness in security, privacy, and open-source intelligence.